Kaspersky used GITEX 2025 to share fresh telemetry from the GCC. The firm counted 50+ million web and local threats blocked in the region in the first eight months of 2025. Password stealers are up 21%. Spyware is up 34%. Ransomware remains targeted but the share of users hit rose from 0.24% to 0.30%. That small shift matters because attackers are picking high-value victims.
GCC threat numbers: what’s rising
More total detections across the GCC, with a clear swing to credential theft and surveillance.
- 50M+ web and local threats blocked Jan–Aug 2025
- Password stealer detections: +21%
- Spyware attacks: +34%
- Why it matters: stolen logins fuel bigger breaches and resale markets
Kaspersky’s snapshot shows attackers leaning hard on info-stealing tools. Password stealers grab browser-saved credentials and session cookies; spyware hangs around and tracks activity. Both give criminals cheap, reusable access to accounts and corporate networks—often the prelude to larger incidents.
Ransomware: fewer hits, bigger targets
The victim share edged up, signalling more targeted campaigns against enterprises and government.
- GCC users targeted by ransomware rose from 0.24% → 0.30%
- Campaigns are more selective, not “spray and pray”
- High-value targets mean lower case counts but higher impact
Kaspersky stresses that modern ransomware isn’t about volume. Groups chase entities that will pay or disrupt if hit, so even small percentage moves should set off alarms for UAE CISOs. Expect double-extortion tactics and longer dwell times before encryption.
Related reading on Tbreak: our GITEX security coverage, including the UAE Public Prosecution’s AI justice stack and policy moves, adds local context to defence planning.
Business threats: backdoors and Office exploits
Enterprise-focused malware is climbing, with backdoors and Office exploits leading the way.
- Backdoor detections: +32%
- Exploit detections: +21%; Microsoft Office most targeted
- For businesses: password stealers +72%, spyware +58%
Backdoors give remote control to attackers. Pair that with Office-format exploits and you get a reliable initial foothold in many GCC organisations. Once in, password stealers and spyware deliver credentials and visibility, enabling lateral movement or resale to ransomware crews.
Why password stealers and spyware matter
These tools are quiet, persistent, and highly monetisable.
- Harder to detect; live longer on endpoints
- Stolen credentials can be resold to ransomware groups
- Increases risk of account takeovers and data leaks
Kaspersky’s researchers say criminals are getting strategic. Complex tools are replacing noisy, basic attacks. Credentials and surveillance data are valuable, tradable assets—and a shortcut to breach scale.
How UAE teams can cut risk—practical steps
Combine platform-level detection with hygiene and people.
- Use XDR/EDR platforms to hunt backdoors, spyware, ransomware
- Patch widely used apps—especially Office
- Subscribe to threat intelligence for GCC-relevant TTPs
- Run regular phishing training and credential-hygiene drills
- Consumers: run a reputable security suite on all devices
These aren’t silver bullets, but they reflect what’s working in the region. Teams that pair telemetry-driven detection with quick patching and user education are better placed to block stealers before they spread and to contain ransomware quickly if it lands.
What period do the GCC numbers cover?
January to August 2025, based on Kaspersky’s telemetry.
Are these attacks mostly mass campaigns?
No. Ransomware in particular is more targeted, focusing on high-value organisations.
Which enterprise threats are growing fastest?
Backdoors (+32%) and Microsoft Office exploits (+21%) led the growth, with big jumps in password stealers (+72%) and spyware (+58%) against businesses.
